Pages

Wednesday, April 20, 2011

European Cybercrime 10 Years On - Why It’s Not Working

Recently at the 10th anniversary of the Budapest Convention against cybercrimeCecilia Malmström(Member of the European Commission responsible for Home Affairs) spoke of the need for Europe to “take stock of the new challenges, as the threat is very much a real one.”

The address then went on to mention that “much had been achieved” by the European Cyber Crime units, and proceeded to discuss items such as recent attacks against carbon trading systems, and a wider attack on EC email systems (which had also left Malmström without email on a recent trip to Cairo).

As we all know living in cyberspace and using the international highways of the internet for our daily business and leisure commutes, the threats are ever changing and as stated in the address “the number of cyber attacks in the world is on the rise, and the cost of cybercrime is skyrocketing.” (International Cybercrime markets are rumored to be worth anywhere from US $500billion to $1Trillion per annum) - lucrative business to say the least!

Another aspect which was highlighted (and one which I feel is often overlooked) was that of “EU institutions are far from immune” - something that I feel is often dismissed or paid little attention too (why should it be entirely up to the United States to deal with all international cybercrime?).

So much is made of the “cyber war” currently raging between the United States, China, Russia (and some of the other international superpowers); with little, to no attention being given to the European aspect and more importantly the EU impacts on international cybercrime.

The recent economic growths throughout Europe (bank bailouts aside), upgrades to infrastructure, communications, and internet speeds, coupled with the reduced costs of equipment required for cyber criminals to operate (or establish their operations), has greatly assisted these groups and cartels in their mission.

Now, introduce a “patchwork” European Cybercrime framework and laws to which 10 European (EU member states) countries have not yet agreed to, and or ratified, and you have a haven for cybercriminals and terrorists to exist (one would liken it to a Las Vegas environment during the prohibition; where drinking and gambling were allowed to operate without fear of capture or imprisonment).

Let me take a second to explain the relationship between the European Union member states, and those who are currently aligned and enforcing the EU’s Cyber Crime Pact.

In order to become a member of the EU, you need to undertake the privileges and obligations that EU membership entails and abide by the relevant laws or pacts passed by the European Union (amongst numerous other obligations).

Right - time for facts and let’s take a look at how many of these twenty seven (27) member states have agreed and ratified the European Cyber Crime Pact (after 10 years!). Currently, ten (10) of twenty seven (27) countries have yet to ratify the European Cyber Crime Pact! Yes - you read that correctly, just under 40% of the EU member states have not signed up to the European Cyber Crime Pact. Pretty difficult to enforce and proceed with efforts when nearly 40% of your members have yet to outline their commitments!

In the address Cecilia Malmströmsaid she hoped (yes - that’s right, “hoped”) Belgium and the United Kingdom would sign up soon, which still leaves Austria, Czech Republic, Greece, Ireland, Luxembourg, Malta, Poland and Sweden as the countries who have yet to sign (for whatever reasons). Malmström then urged all of these countries to speed up their efforts.

With the upcoming formation of a European Computer Emergency Response Team (CERT) to be established by the end of May 2011 and the call for co-operation between the United States and the EU on Cybercrime, this might perhaps lessen (or possibly even increase!) the current work levels of Europol (the European Police) and InterPol (the world’s largest international police organization) in supporting member states in these areas.

In conclusion, Malmström said she was “open to ideas about the need for better training” which will include a European Cybercrime Centre by 2013 (talk about playing catch up to those cybercriminals who would have been operating for a number of years!). Malmström said there would be a feasibility study next year (2012) to decide what it should do and where it should be based.

In my opinion, the logical choice for this would be in Dublin, Ireland. I have witnessed some of the leading international efforts by the law enforcement bodies and Educational Institutes to deal and lead efforts on these fronts which include the UCD Centre for Cybersecurity and Cybercrime Investigation (which is currently Europe’s leading centre for research and education in cybersecurity, cybercrime and digital forensics). That is of course if Ireland would sign the European Cyber Crime Pact!

On a positive note: it is worth noting and applauding the efforts of ENISA (European Network and Information Security Agency) who are coordinating and assisting (where possible!) the local CERT teams within the member nations, and the efforts of EuroPol and InterPol to assist local law enforcement in these areas.

Finally, let’s take a look at Europe vs United States on Cybercrime legislation and enforcement; and how Europe can perhaps learn from our friends across the water.

Within the European Commission, Vice-President Kroes is responsible for cyber-security and Commissioner Malmström for tackling cyberccrime. Within the United States, the Department of Homeland Security, Department of Justice, Department of State, Department of Commerce and other federal entities collaborate to help strengthen cyber-security and fight cybercrime (a far more comprehensive viewpoint and coverage from our friends in the United States I feel, with a number of dedicated departments and entities responsible for this!).

The proposed efforts from Europe include the following:

expanding incident management response capabilities jointly and globally, through a cooperation programme culminating in a joint EU-US cyber-incident exercise by the end of 2011

a broad commitment to engage the private sector, sharing of good practices on collaboration with industry, and pursuing specific engagement on key issue areas such as fighting botnets, securing industrial control systems (such as water treatment and power generation), and enhancing the resilience and stability of the Internet

continuing EU/US cooperation to remove child pornography from the Internet, including through work with domain-name registrars and registries

advancing the Council of Europe Convention on Cybercrime, including a programme to expand accession by all EU Member States, and collaboration to assist states outside the region in meeting its standards and become parties.

Commissioner Malmström has emphasized that co-operation with the United States with vital to the fight against online crime (this goes without saying). On a personal note - I do perhaps feel that the United States has enough on its plate at the moment, and Europe simply cannot afford wait for the US to guide or assist us through all these steps. While lessons learnt from the US could be invaluable - I do feel Europe has to take the direct route, roll up their sleeves and ensure efforts for Cybercrime detection, prevention, and reduction happen sooner, rather than later.

"If you have any suggestions on upcoming articles, please feel free to comment. Be sure to follow both InfosecIsland (@infosecisland) and Jared Carstensen (@jaredcarstensen) on Twitter."